Help Center/ Identity and Access Management/ API Reference/ Getting Started/ Security Auditing on Permissions of IAM Users
Updated on 2024-07-30 GMT+08:00

Security Auditing on Permissions of IAM Users

Scenario

Enterprise users usually need to periodically audit the permissions of IAM users created in the public cloud, ensuring that IAM users only have the permissions required to complete certain tasks. Generally, only account administrators and auditors have IAM administration permissions, and IAM users should not have these permissions. Periodic security audit can be automatically implemented through APIs.

This section describes how to perform security audit on the permissions of IAM users by calling APIs. You can also implement periodic security audit using programmatic methods.

Prerequisites

To audit IAM user permissions as an auditor, ensure that you have been assigned the IAM ReadOnlyAccess policy (recommended) or Security Administrator role.

General Procedure

To audit the permissions of IAM users, perform the following procedure:

  1. List all the user groups.
  2. Query the permissions of each user group for the global service project.
  3. Query the permissions of each user group for region-specific projects.
  4. Determine the permissions to be audited and query the IAM users in each user group that has been assigned these permissions.

The following APIs will be used in this example:

Step 1: List All the User Groups

URI: GET /v3/groups

For details about the API, see Listing User Groups.

  • Example Request
    GET https://iam.myhuaweicloud.com/v3/groups
  • Example Response
    {
         "groups":[
             {
                 "create_time":1536293929624,
                 "description":"IAMDescription",
                 "domain_id":"d78cbac186b744899480f25bd022....",
                 "id":"5b050baea9db472c88cbae67e8d6....",
                 "links":{
                     "self":"https://iam.myhuaweicloud.com/v3/groups/5b050baea9db472c88cbae67e8d6...."
                 },
                 "name":"IAMGroupA"
             },
             {
                 "create_time":1578107542861,
                 "description":"IAMDescription",
                 "domain_id":"d78cbac186b744899480f25bd022....",
                 "id":"07609e7eb200250a3f7dc003cb7a....",
                 "links":{
                     "self":"https://iam.myhuaweicloud.com/v3/groups/07609e7eb200250a3f7dc003cb7a...."
                 },
                 "name":"IAMGroupB"
             }
         ],
         "links":{
             "self":"https://iam.myhuaweicloud.com/v3/groups"
         }
     }

Step 2: Query Permissions of Each User Group for the Global Service Project

URI: GET /v3/domains/{domain_id}/groups/{group_id}/roles

For details about the API, see Querying Permissions of a User Group for a Global Service Project.

  • Example Request
    GET https://iam.myhuaweicloud.com/v3/domains/{domain_id}/groups/{group_id}/roles
  • Example Response
    {
         "links":{
             "self":"https://iam.myhuaweicloud.com/v3/domains/d78cbac186b744899480f25bd022f468/groups/077d71374b8025173f61c003ea0a11ac/roles"
         },
         "roles":[
             {
                 "catalog":"CDN",
                 "description":"Allow Query Domains",
                 "description_cn":"Description of the permission in Chinese",
                 "display_name":"CDN Domain Viewer",
                 "flag":"fine_grained",
                 "id":"db4259cce0ce47c9903dfdc195eb....",
                 "links":{
                     "self":"https://iam.myhuaweicloud.com/v3/roles/db4259cce0ce47c9903dfdc195eb...."
                 },
                 "name":"system_all_11",
                 "policy":{
                     "Statement":[
                         {
                             "Action":[
                                 "cdn:configuration:queryDomains",
                                 "cdn:configuration:queryOriginServerInfo",
                                 "cdn:configuration:queryOriginConfInfo",
                                 "cdn:configuration:queryHttpsConf",
                                 "cdn:configuration:queryCacheRule",
                                 "cdn:configuration:queryReferConf",
                                 "cdn:configuration:queryChargeMode",
                                 "cdn:configuration:queryCacheHistoryTask",
                                 "cdn:configuration:queryIpAcl",
                                 "cdn:configuration:queryResponseHeaderList"
                             ],
                             "Effect":"Allow"
                         }
                     ],
                     "Version":"1.1"
                 },
                 "type":"AX"
             }
         ]
     }

Step 3: Query Permissions of Each User Group for Region-specific Projects

URI: GET /v3/projects/{project_id}/groups/{group_id}/roles

For details about the API, see Querying Permissions of a User Group for a Region-specific Project.

  • Example Request
    GET https://iam.myhuaweicloud.com/v3/projects/{project_id}/groups/{group_id}/roles
  • Example Response
    {
         "links":{
             "self":"https://iam.myhuaweicloud.com/v3/projects/065a7c66da0010992ff7c0031e5a..../groups/077d71374b8025173f61c003ea0a..../roles"
         },
         "roles":[
             {
                 "catalog":"AOM",
                 "description":"AOM read only",
                 "description_cn":"Description of the permission in Chinese",
                 "display_name":"AOM Viewer",
                 "flag":"fine_grained",
                 "id":"75cfe22af2b3498d82b655fbb39d....",
                 "links":{
                     "self":"https://iam.myhuaweicloud.com/v3/roles/75cfe22af2b3498d82b655fbb39d...."
                 },
                 "name":"system_all_30",
                 "policy":{
                     "Statement":[
                         {
                             "Action":[
                                 "aom:*:list",
                                 "aom:*:get",
                                 "apm:*:list",
                                 "apm:*:get"
                             ],
                             "Effect":"Allow"
                         }
                     ],
                     "Version":"1.1"
                 },
                 "type":"XA"
             }
         ]
     }

Step 4: Determine the Permissions to Be Audited and Query IAM Users Granted These Permissions

URI: GET /v3/groups/{group_id}/users

For details about the API, see Querying the IAM Users in a Group.

  • Example Request
    GET https://iam.myhuaweicloud.com/v3/groups/{group_id}/users
  • Example Response
    {
         "links":{
             "self":"https://iam.myhuaweicloud.com/v3/groups/07609e7eb200250a3f7dc003cb7a..../users"
         },
         "users":[
             {
                 "description":"--",
                 "domain_id":"d78cbac186b744899480f25bd022....",
                 "enabled":true,
                 "id":"07609fb9358010e21f7bc003751c....",
                 "last_project_id":"065a7c66da0010992ff7c0031e5a....",
                 "links":{
                     "self":"https://iam.myhuaweicloud.com/v3/users/07609fb9358010e21f7bc003751c...."
                 },
                 "name":"IAMUserA",
                 "pwd_status":true
             },
             {
                 "description":"",
                 "domain_id":"d78cbac186b744899480f25bd022....",
                 "enabled":true,
                 "id":"076837351e80251c1f0fc003afe4....",
                 "last_project_id":"065a7c66da0010992ff7c0031e5a....",
                 "links":{
                     "self":"https://iam.myhuaweicloud.com/v3/users/076837351e80251c1f0fc003afe4...."
                 },
                 "name":"IAMUserB",
                 "pwd_status":true
             }
         ]
     }